Save Net Neutrality

We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

Upcoming legislation would mandate quicker notifications after data breaches and prohibit the sale of student data collected in schools

Find Ratings

Americans have faced one data breach after another in the past year, from Home Depot to Target to Sony. In light of that, President Obama today announced that he would promote legislation to protect the privacy of consumers, prevent identity theft, and stop the sale of student data to third parties.

Cybercrime, said the President during an address to the Federal Trade Commission, “is a direct threat to the economic security of American families, and we’ve got to stop it.”

One way he proposes to do that is with the Personal Data Notification and Protection Act, which would require companies to inform consumers of a data breach within 30 days of discovery.

Ellen Bloom, Senior Director of Federal Policy and the Washington Office for Consumers Union, attended the announcement. “This is real progress on a tough issue," she said. "We think a federal standard should be a floor, not a ceiling, for states that want to do more to protect consumers’ information.”

Some privacy advocates say they'll be watching to see whether federal legislation on data breach notifications affects progress already made by state legislatures. “By and large, the states have good protections in place; we’d hate to see a bill that preempts and weakens state standards,” Justin Brookman, director of consumer privacy for the Center for Democracy and Technology, told us via e-mail. One issue, he said, could be how serious a breach needs to be before it triggers the law. Additionally, some states allow individuals to launch lawsuits after data breaches; advocates will be watching to see if proposed legislation limits such legal action. “In order to be more effective, a federal bill will need to provide additional protections that aren’t included in the state bills today,” he said.

Our Buying Guide will help you choose the security software that's right for you.

Look also for a “privacy bill of rights” proposal coming from the White House in the coming weeks. “We pioneered the Internet, but we also pioneered the Bill of Rights,” Obama said. “We have a sphere of privacy around us that should not be breached.” The proposed law will be based on the principles outlined in the White House’s “Consumer Privacy Bill of Rights” that was released in 2012.

A third prong of the President’s plan encompasses privacy for children, specifically students. The Student Digital Privacy Act would ensure that data collected while children are in school is not sold to third parties. Cyberspace is “all pervasive” for kids, Obama said. “We want our kids’ privacy protected whenever they sign on or log on, even at school.”

The law will focus on preventing marketers from subjecting students to targeted advertising. It could be based on what the President called a "landmark" bill in California that protects K-12 students. “Right now, there’s a lot of uncertainty under the law about what third-party service providers can do with student data they collect,” said the CDT’s Brookman. “[V]endors can collect virtually anything for school purposes—from what the kids eat to how they’re doing on tests.” While that probably won’t change under any bill, according to Brookman, the proposed legislation will help limit how companies advertise to children.

We’ll take a closer look in the coming weeks at what we think belongs in a Privacy Bill of Rights for consumers, as well as what may or may not change under the new laws, if they’re passed.